惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Simon Willison's Weblog
Simon Willison's Weblog
T
Threatpost
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Spread Privacy
Spread Privacy
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Engineering at Meta
Engineering at Meta
T
Tenable Blog
C
Cisco Blogs
T
The Blog of Author Tim Ferriss
NISL@THU
NISL@THU
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
P
Privacy & Cybersecurity Law Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
Secure Thoughts
N
News and Events Feed by Topic
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
Microsoft Azure Blog
Microsoft Azure Blog
月光博客
月光博客
H
Hacker News: Front Page
I
InfoQ
L
LangChain Blog
Security Latest
Security Latest
The Cloudflare Blog
Forbes - Security
Forbes - Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Stack Overflow Blog
Stack Overflow Blog
TaoSecurity Blog
TaoSecurity Blog
量子位
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
Visual Studio Blog
Scott Helme
Scott Helme
爱范儿
爱范儿
A
Arctic Wolf
F
Full Disclosure
酷 壳 – CoolShell
酷 壳 – CoolShell
Schneier on Security
Schneier on Security
N
News and Events Feed by Topic
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
LINUX DO - 最新话题
V2EX - 技术
V2EX - 技术
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
Hugging Face - Blog
Hugging Face - Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Know Your Adversary
Know Your Adversary
Application and Cybersecurity Blog
Application and Cybersecurity Blog

Darktrace Blog

Why behavioral AI is the answer to Mythos 7 MCP Risks CISO’s Should Consider and How to Prepare How To Secure AI And Find The Gaps In Your Security Operations 92% of Security Pros Concerned About AI Agents Darktrace Launches Unified Security Awareness Training and Messaging Security Darktrace Identifies Encryption in a World Leaks Ransomware Attack NetSupport RAT: Why Legitimate Tools Are as Damaging as Malware What the Darktrace Annual Threat Report 2026 Means for Security Leaders CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding AppleScript Abuse: Unpacking a macOS Phishing Campaign Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access Medusa Ransomware 2025: RMM Abuse in Ransomware Campaigns How a Leading Bank is Prioritizing Risk Management with Darktrace A framework for securing AI in the enterprise The Year Ahead: AI Cybersecurity Trends to Watch in 2026 Phishing attacks surge by 620% in the lead-up to Black Friday How to Manage Risk in Amazon Bedrock Vo1d Botnet Exposed: How Darktrace Detected a Global Android Threat Why API + Journaling Delivers Faster, SLA-Backed Email Security for Microsoft 365 Darktrace delivers the next evolution of unified and proactive NDR Salty Much: Darktrace’s take on a recent Salt Typhoon intrusion Akira SonicWall Campaign Uncovered Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace Industry-First Automated Cloud Forensics ShadowV2: An emerging DDoS for hire botnet SEO Poisoning and Fake PuTTY sites: Darktrace’s Investigation into the Oyster backdoor Why Unifying Email and Network Security Is Critical for Modern Cyber Defense What is a VPS and How Do Attackers Abuse Virtual Servers? Investigating the Ivanti Endpoint Manager Mobile Vulnerabilities 2025 Cyber Threats: A Mid‑Year Review AI Analyst in Action: 4 Real-World Investigations using AI Investigations AI Maturity Model: A Roadmap for Security 5 Core Capabilities for Cloud Forensics and IR Wallet Drainers: How Scams Steal Funds Top Eight Threats to SaaS Security and How to Combat Them Darktrace Tracks CVE‑2025‑31324 Activity UK Cyber Bill: What CISOs Need to Know Unpacking ClickFix: Darktrace Detection Insights Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response Evaluating Email Security: How to Select the Best Solution for Your Organization AsyncRAT Exposed: Signals and Mitigations Anomaly-Based Threat Hunting: Darktrace's Approach in Action Darktrace Tracks SocGholish to RansomHub How NDR and Secure Access Service Edge (SASE) Work Together to Achieve Network Security Outcomes Force Multiply Your Security Team with Agentic AI: How the Industry’s Only True Cyber AI Analyst™ Saves Time and Stop Threats Why Data Classification Isn’t Enough to Prevent Data Loss Email bombing exposed: Darktrace’s email defense in action Global Technology Provider Transforms Email Threat Detection with Darktrace Survey findings: How is AI Impacting the SOC? Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats New Threat on the Prowl: Investigating Lynx Ransomware Why Darktrace / EMAIL Excels Against APTs RansomHub’s Rise: RaaS Market Insights CNAPP Alone Isn’t Enough: Focusing on CDR for Real-Time Cross Domain Protection Reimagining Your SOC: How to Shift Away From Reactive Network Security RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal Why AI-powered Email Protection Became Essential for this Global Financial Services Leader Agent vs. Agentless Cloud Security: Why Deployment Methods Matter Defending AITM Phishing and Mamba Attacks Breaking Down Nation State Attacks on Supply Chains Darktrace is Positioned as a Leader in the IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment Protecting Your Hybrid Cloud: The Future of Cloud Security in 2025 and Beyond Phishing Attacks Surge Over 600% in the Buildup to Black Friday Why Artificial Intelligence is the Future of Cybersecurity Darktrace Leading the Future of Network Detection and Response With Recognition from KuppingerCole AI and Cybersecurity: Predictions for 2025 Navigating Buying and Adoption Journeys for AI Cybersecurity Tools How Darktrace won an email security trial by learning the business, not the breach Introducing Real-Time Multi-Cloud Detection & Response Powered by AI From Call to Compromise: Darktrace’s Response to a Vishing-Induced Network Attack Business Email Compromise (BEC) in the Age of AI How AI can help CISOs navigate the global cyber talent shortage What you need to know about FAA Security Protection Regulations 2024 Introducing ‘Defend Beyond’: Our promise to customers in the face of evolving threats How Darktrace’s AI Applies a Zero-Trust Mentality within Critical Infrastructure Supply Chains Darktrace Releases 2024 Half-Year Threat Insights Safelink Smuggling: Enhancing Resilience Against Malicious Links CDR is just NDR for the Cloud... Right? Qilin RaaS: Darktrace Detection Insights Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks Safeguarding Distribution Centers in the Digital Age Darktrace Investigation Into Medusa Ransomware Exploring the Benefits and Risks of Third-Party Data Solutions Strategies to Combat Microsoft Teams Phishing Attacks Lost in Translation: Darktrace Blocks Non-English Phishing Campaign Concealing Hidden Payloads How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC The Rise of Alternative Access in Cloud Attacks The State of AI in Cybersecurity: How AI will impact the cyber threat landscape in 2024 Moving Beyond XDR to Achieve True Cyber Resilience with Darktrace ActiveAI Security Platform The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners Balada Injector: Darktrace’s Investigation into the Malware Exploiting WordPress Vulnerabilities Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace / EMAIL Utilizing AI Security Against Phishing Campaigns AI Function Assistance to Humans in Cyber Crises How Darktrace SOC Thwarted a BEC Attack Understanding Email Security & the Psychology of Trust Breaking Down "ICES": An Umbrella Term With Wide Variety Boosting Security Posture with Email Integration Enhancing Darktrace with Microsoft Defender Flexible Deployments for Enhanced Email Security
Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace
Justin Torres · 2025-11-05 · via Darktrace Blog

What is DragonForce?

DragonForce is a Ransomware-as-a-Service (RaaS) platform that emerged in late 2023, offering broad-scale capabilities and infrastructure to threat actors. Recently, DragonForce has been linked to attacks targeting the UK retail sector, resulting in several high-profile cases [1][2]. Moreover, the group launched an affiliate program offering a revenue share of roughly 20%, significantly lower than commissions reported across other RaaS platforms [3].

This Darktrace case study examines a DragonForce-linked RaaS infection within the manufacturing industry. The earliest signs of compromise were observed during working hours in August 2025, where an infected device started performing network scans and attempted to brute-force administrative credentials. After eight days of inactivity, threat actors returned and multiple devices began encrypting files via the SMB protocol using a DragonForce-associated file extension. Ransom notes referencing the group were also dropped, suggesting the threat actor is claiming affiliation with DragonForce, though this has not been confirmed.

Despite Darktrace’s detection of the attack in its early stages, the customer’s deployment did not have Darktrace’s Autonomous Response capability configured, allowing the threat to progress to data exfiltration and file encryption.

Darktrace's Observations

While the initial access vector was not clearly defined in this case study, it was likely achieved through common methods previously employed out by DragonForce affiliates. These include phishing emails leveraging social engineering tactics, exploitation of public-facing applications with known vulnerabilities, web shells, and/or the abuse of remote management tools.

Darktrace’s analysis identified internal devices performing internal network scanning, brute-forcing credentials, and executing unusual Windows Registry operations. Notably, Windows Registry events involving "Schedule\Taskcache\Tasks" contain subkeys for individual tasks, storing GUIDs that can be used to locate and analyze scheduled tasks. Additionally, Control\WMI\Security holds security descriptors for WMI providers and Event Tracing loggers that use non-default security settings respectively.

Furthermore, Darktrace identified data exfiltration activity over SSH, including connections to an ASN associated with a malicious hosting service geolocated in Russia.

1. Network Scan & Brute Force

Darktrace identified anomalous behavior in late August to early September 2025, originating from a source device engaging in internal network scanning followed by brute-force attempts targeting administrator credential, including “administrator”, “Admin”, “rdpadmin”, “ftpadmin”.

Upon further analysis, one of the HTTP connections seen in this activity revealed the use of the user agent string “OpenVAS-VT”, suggesting that the device was using the OpenVAS vulnerability scanner. Subsequently, additional devices began exhibiting network scanning behavior. During this phase, a file named “delete.me” was deleted by multiple devices using SMB protocol. This file is commonly associated with network scanning and penetration testing tool NetScan.

2. Windows Registry Key Update

Following the scanning phase, Darktrace observed the initial device then performing suspicious Winreg operations. This included the use of the ”BaseRegOpenKey” function across multiple registry paths.

Additional operations such as “BaseRegOpenKey” and “BaseRegQueryValue” were also seen around this time. These operations are typically used to retrieve specific registry key values and allow write operations to registry keys.

The registry keys observed included “SYSTEM\CurrentControlSet\Control\WMI\Security” and “Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks”. These keys can be leveraged by malicious actors to update WMI access controls and schedule malicious tasks, respectively, both of which are common techniques for establishing persistence within a compromised system.

3. New Administrator Credential Usage

Darktrace subsequently detected the device using a highly privileged credential, “administrator”, via a successful Kerberos login for the first time. Shortly after, the same credential was used again for a successful SMB session.

These marked the first instances of authentication using the “administrator” credential across the customer’s environment, suggesting potential malicious use of the credential following the earlier brute-force activity.

Darktrace’s detection of administrator credentials being used in Kerberos login events by an infected device.

Figure 1: Darktrace’s detection of administrator credentials being used in Kerberos login events by an infected device.

Darktrace’s detection of administrator credentials being used in SMB sessions by an infected device.

Figure 2: Darktrace’s detection of administrator credentials being used in SMB sessions by an infected device.

4. Data Exfiltration

Prior to ransomware deployment, several infected devices were observed exfiltrating data to the malicious IP 45.135.232[.]229 via SSH connections [7][8]. This was followed by the device downloading data from other internal devices and transferring an unusually large volume of data to the same external endpoint.

The IP address was first seen on the network on September 2, 2025 - the same date as the observed data exfiltration activity preceding ransomware deployment and encryption.

Further analysis revealed that the endpoint was geolocated in Russia and registered to the malicious hosting provider Proton66. Multiple external researchers have reported malicious activity involving the same Proton66 ASN (AS198953 Proton66 OOO) as far back as April 2025. These activities notably included vulnerability scanning, exploitation attempts, and phishing campaigns, which ultimately led to malware [4][5][6].

Data Exfiltration Endpoint details.

  • Endpoint: 45.135.232[.]229
  • ASN: AS198953 Proton66 OOO
  • Transport protocol: TCP
  • Application protocol: SSH
  • Destination port: 22

Darktrace’s summary of the external IP 45.135.232[.]229, first detected on September 2, 2025. The right-hand side showcases model alerts triggered related to this endpoint including multiple data exfiltration related model alerts.

Figure 3: Darktrace’s summary of the external IP 45.135.232[.]229, first detected on September 2, 2025. The right-hand side showcases model alerts triggered related to this endpoint including multiple data exfiltration related model alerts.

Further investigation into the endpoint using open-source intelligence (OSINT) revealed that it led to a Microsoft Internet Information Services (IIS) Manager console webpage. This interface is typically used to configure and manage web servers. However, threat actors have been known to exploit similar setups, using fake certificate warnings to trick users into downloading malware, or deploying malicious IIS modules to steal credentials.

Live screenshot of the destination (45.135.232[.]229), captured via OSINT sources, displaying a Microsoft IIS Manager console webpage.

Figure 4: Live screenshot of the destination (45.135.232[.]229), captured via OSINT sources, displaying a Microsoft IIS Manager console webpage.

5. Ransomware Encryption & Ransom Note

Multiple devices were later observed connecting to internal devices via SMB and performing a range of actions indicative of file encryption. This suspicious activity prompted Darktrace’s Cyber AI Analyst to launch an autonomous investigation, during which it pieced together associated activity and provided concrete timestamps of events for the customer’s visibility.

During this activity, several devices were seen writing a file named “readme.txt” to multiple locations, including network-accessible webroot paths such as inetpub\ and wwwroot\. This “readme.txt” file, later confirmed to be the ransom note, claimed the threat actors were affiliated with DragonForce.

At the same time, devices were seen performing SMB Move, Write and ReadWrite actions involving files with the “.df_win” extension across other internal devices, suggesting that file encryption was actively occurring.

Darktrace’s detection of SMB events (excluding Read events) where the device was seen moving or writing files with the “.df_win” extension.

Figure 5: Darktrace’s detection of SMB events (excluding Read events) where the device was seen moving or writing files with the “.df_win” extension.

Darktrace’s detection of a spike in SMB Write events with the filename “readme.txt” on September 9, indicating the start of file encryption.

Figure 6: Darktrace’s detection of a spike in SMB Write events with the filename “readme.txt” on September 9, indicating the start of file encryption.

Conclusion

The rise of Ransomware-as-a-Service (RaaS) and increased attacker customization is fragmenting tactics, techniques, and procedures (TTPs), making it increasingly difficult for security teams to prepare for and defend against each unique intrusion. RaaS providers like DragonForce further complicate this challenge by enabling a wide range of affiliates, each with varying levels of sophistication [9].

In this instance, Darktrace was able to identify several stages of the attack kill chain, including network scanning, the first-time use of privileged credentials, data exfiltration, and ultimately ransomware encryption. Had the customer enabled Darktrace’s Autonomous Response capability, it would have taken timely action to interrupt the attack in its early stages, preventing the eventual data exfiltration and ransomware detonation.

Credit to Justin Torres, Senior Cyber Analyst, Nathaniel Jones, VP, Security & AI Strategy, FCISO, & Emma Foulger, Global Threat Research Operations Lead.

Edited by Ryan Traill (Analyst Content Lead)

[related-resource]

Appendices

References:

1. https://www.infosecurity-magazine.com/news/dragonforce-goup-ms-coop-harrods/

2. https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants

3. https://blog.checkpoint.com/security/dragonforce-ransomware-redefining-hybrid-extortion-in-2025/

4. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-1-mass-scanning-and-exploit-campaigns/

5. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/

6. https://www.broadcom.com/support/security-center/protection-bulletin/proton66-infrastructure-tied-to-expanding-malware-campaigns-and-c2-operations

7. https://www.virustotal.com/gui/ip-address/45.135.232.229

8. https://spur.us/context/45.135.232.229

9. https://www.group-ib.com/blog/dragonforce-ransomware/

IoC - Type - Description + Confidence

·      45.135.232[.]229 - Endpoint Associated with Data Exfiltration

·      .readme.txt – Ransom Note File Extension

·      .df_win – File Encryption Extension Observed

MITRE ATT&CK Mapping

DragonForce TTPs vs Darktrace Models

Initial Access:

·      Anomalous Connection::Callback on Web Facing Device

Command and Control:

·      Compromise::SSL or HTTP Beacon

·      Compromise::Beacon to Young Endpoint

·      Compromise::Beaconing on Uncommon Port

·      Compromise::Suspicious SSL Activity

·      Anomalous Connection::Devices Beaconing to New Rare IP

·      Compromise::Suspicious HTTP and Anomalous Activity

·      DNS Tunnel with TXT Records

Tooling:

·      Anomalous File::EXE from Rare External Location

·      Anomalous File::Masqueraded File Transfer

·      Anomalous File::Numeric File Download

·      Anomalous File::Script from Rare External Location

·      Anomalous File::Uncommon Microsoft File then Exe

·      Anomalous File::Zip or Gzip from Rare External Location

·      Anomalous File::Uncommon Microsoft File then Exe

·      Anomalous File::Internet Facing System File Download

Reconnaissance:

·      Device::Suspicious SMB Query

·      Device::ICMP Address Scan

·      Anomalous Connection::SMB Enumeration

·      Device::Possible SMB/NTLM Reconnaissance

·      Anomalous Connection::Possible Share Enumeration Activity

·      Device::Possible Active Directory Enumeration

·      Anomalous Connection::Large Volume of LDAP Download

·      Device::Suspicious LDAP Search Operation

Lateral Movement:

·      User::Suspicious Admin SMB Session

·      Anomalous Connection::Unusual Internal Remote Desktop

·      Anomalous Connection::Unusual Long Remote Desktop Session

·      Anomalous Connection::Unusual Admin RDP Session

·      User::New Admin Credentials on Client

·      User::New Admin Credentials on Server

·      Multiple Device Correlations::Spreading New Admin Credentials

·      Anomalous Connection::Powershell to Rare External

·      Device::New PowerShell User Agent

·      Anomalous Active Directory Web Services

·      Compromise::Unusual SVCCTL Activity

Evasion:

·      Unusual Activity::Anomalous SMB Delete Volume

·      Persistence

·      Device::Anomalous ITaskScheduler Activity

·      Device::AT Service Scheduled Task

·      Actions on Objectives

·      Compromise::Ransomware::Suspicious SMB Activity (EM)

·      Anomalous Connection::Sustained MIME Type Conversion

·      Compromise::Ransomware::SMB Reads then Writes with Additional Extensions

·      Compromise::Ransomware::Possible Ransom Note Write

·      Data Sent to Rare Domain

·      Uncommon 1 GiB Outbound

·      Enhanced Unusual External Data Transfer

Darktrace Cyber AI Analyst Coverage/Investigation Events:

·      Web Application Vulnerability Scanning of Multiple Devices

·      Port Scanning

·      Large Volume of SMB Login Failures

·      Unusual RDP Connections

·      Widespread Web Application Vulnerability Scanning

·      Unusual SSH Connections

·      Unusual Repeated Connections

·      Possible Application Layer Reconnaissance Activity

·      Unusual Administrative Connections

·      Suspicious Remote WMI Activity

·      Extensive Unusual Administrative Connections

·      Suspicious Directory Replication Service Activity

·      Scanning of Multiple Devices

·      Unusual External Data Transfer

·      SMB Write of Suspicious File

·      Suspicious Remote Service Control Activity

·      Access of Probable Unencrypted Password Files

·      Internal Download and External Upload

·      Possible Encryption of Files over SMB

·      SMB Writes of Suspicious Files to Multiple Devices

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content.